Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

ajaylowes
Path Finder
‎03-19-2019 07:59 AM

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

For starters, i need to pull the information from the investigation panel so that i can run the python script to push the data to the API.

0 Karma
Reply

LukeMurphey
Champion
‎03-19-2019 09:25 AM

I wrote a blog that describes how to do this: https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html

See also the docs here: https://docs.splunk.com/Documentation/ES/latest/API/NotableEventAPIreference

0 Karma
Reply

ajaylowes
Path Finder
‎03-26-2019 03:11 AM

@LukeMurphey For some strange reason, i dont see any event_id in my notable index.
Secondly, i want to fetch the notable info(not update the notable).

Can you please help me out

0 Karma
Reply

lakshman239
Influencer
‎03-26-2019 03:22 AM

if you run the notable macro search, you should see rule_id and event_id [ they are the same fields]

`notable` | table _time , source, event_id, rule_id
0 Karma
Reply

lakshman239
Influencer
‎03-19-2019 02:38 PM

Thanks @LukeMurphey for the links, but not seeing info related to Investigations performed against notables. Am I missing something?

0 Karma
Reply

LukeMurphey
Champion
‎03-19-2019 02:52 PM

I might have mistakenly assumed that "investigation" was a reference to a notable. If so, then my answer is incorrect.

@ajaylowes: could you clarify if you mean a notable event (what you see on Incident Review) or an investigation (what you see on the "Investigations" page)?

0 Karma
Reply

ajaylowes
Path Finder
‎03-23-2019 10:24 PM

@LukeMurphey This is what we see on the "investigation" page

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...